Forgot your password?
typodupeerror

Sony Rootkit may Lead to Regulation 266

Posted by CowboyNeal
from the enough-is-enough dept.
An anonymous reader writes "Computerworld has a story about DHS officials meeting with Sony to read them the riot act, following the rootkit fiasco. From the story: 'A U.S. Department of Homeland Security (DHS) official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.'"
This discussion has been archived. No new comments can be posted.

Sony Rootkit may Lead to Regulation

Comments Filter:
  • WTF? (Score:5, Interesting)

    by smash (1351) on Friday February 17, 2006 @05:16AM (#14740718) Homepage Journal
    So if a 15 year old crashes his school's webserver by getting a bunch of friends in IRC to click on it too many times he can be prosecuted, but if a global megacorporation does something far more insidious (effectively, SELLING you TROJANED media), then "we need regulation"?

    Why are people not in jail for this yet?

    (yes, that was a rhetorical question).

    smash.

    • by Anonymous Coward
      The world runs on money.
      • You clearly don't know what a "rhetorical question" is, or didn't read my post.

        :)

        smash.

    • Re:WTF? (Score:5, Interesting)

      by lennart78 (515598) on Friday February 17, 2006 @05:23AM (#14740741)
      According to www.opensecrets.org Sony has, over the years, ponied up millions of dollars in contributions to political parties. I haven't seen that 15 year old script-running-juvenile matching that.
      • Re:WTF? (Score:5, Insightful)

        by smash (1351) on Friday February 17, 2006 @05:31AM (#14740764) Homepage Journal
        I don't need opensecrets.org to tell me that. :)

        I was merely trying to point out how "fucked up" the system is - we live in a world that allowed the two events described above to have the outcomes they did...

        smash.

      • Re:WTF? (Score:3, Insightful)

        by CastrTroy (595695)
        Why is a non-voting entity allowed to give political contributions?
        • Re:WTF? (Score:5, Insightful)

          by crawling_chaos (23007) on Friday February 17, 2006 @10:33AM (#14741857) Homepage
          Because its shareholders are largely voters. The Supreme Court has ruled money to be speech, and the Right of the People to assemble to petition the government for redress of grievances is in the Constitution. Like it or not, a corporation is an assembly of some of the People, just like a union, or political party.

          I agree it stinks, but I'm not exactly sure how we stop it short of a constitutional amendment, and if that amendment is too broadly worded, the cure could be worse than the disease.

          • Re:WTF? (Score:3, Interesting)

            by drinkypoo (153816)

            I agree it stinks, but I'm not exactly sure how we stop it short of a constitutional amendment, and if that amendment is too broadly worded, the cure could be worse than the disease.

            Outlaw campaign contributions to anything other than a central fund. Cap campaign spending at a dramatically lower level. The n candidates with the most petition signatures get on the ballot, and get equal campaign funds.

            This prevents people from buying elections...

            The only missing piece here is who pays for advertis

            • Re:WTF? (Score:3, Interesting)

              by crawling_chaos (23007)
              I propose that all media outlets be required to dedicate a certain percentage of their space to this purpose. It can be part of their licensing fees.

              Including Slashdot? Or does "media" not include the net?

              Furthermore, with the ruling that cash == speech, there is no way to cap or equalize spending. It's unconstitutional prior restraint. Yes, it sucks, but that is the law as written. You can force someone to forgo government assistance if they spend beyond a certain limit, but you cannot limit the amount o

        • Re:WTF? (Score:3, Interesting)

          by philipgar (595691)
          I would say the most important reason is to avoid unfair competition. Imagine this, 2 companies are competing, one a corporation, the other is set up such that one family controls it (and it isn't incorporated). Normally the family controlled business would incorporate to give it limited liability etc. However as it would stand under this situation they'd have a huge advantage.

          The family owned business starts sending lobbyists to congress, and gets a law passed that basically makes it such that they're
    • Re:WTF? (Score:5, Insightful)

      by luvirini (753157) on Friday February 17, 2006 @05:34AM (#14740776)
      But the 15 year old is a terrorist for attacking national infrastructure. The company is just trying to protect it's godgiven right for profits.
    • Re:WTF? (Score:5, Insightful)

      by jozi (908206) <valsharessa1.hotmail@com> on Friday February 17, 2006 @07:45AM (#14741066)

      Corporation: An organization created in order to generate individual profit without individual responsibility.

      That is why no on is in jail, it goes against the very idea of corporations. :o)

      • Re:WTF? (Score:3, Insightful)

        by darkmeridian (119044)
        I'm entertained by the knee-jerk reactionism that has allowed this "sociopathic corporation" meme to float around. Corporations are held responsible. They get sued for breaking the law and then bankrupted--a death sentence. Ask Kenneth Lay what he thinks about the dearth of individual responsibility in corporate law. Furthermore, we all have a god-given right to make profit. No where do we have to act for the benefit of my fellow man; I just cannot hurt him. So if I should vote to say, fight a war in Iraq b
    • by iamlucky13 (795185) on Friday February 17, 2006 @02:05PM (#14743742)
      It really bugs me that DHS and generally everyone else are looking at this issue as if the security vulnerabilities in the Sony rootkit are the main issue. And perhaps it is to them, but not to me. The real issue is that Sony is installing software on computers without the owner's permission, and it's software that intentionally hobbles hardware/software you paid for. That's like being upset, not because a thief stole your TV, but because he left the back door unlocked when he left.
  • by Anonymous Coward on Friday February 17, 2006 @05:19AM (#14740731)
    "The recent Sony experience..." This phrase makes me wonder if Sony is going to be a catch phrase.

    "I just bought a DVD with rootkit software on it."
    "You've been Sony-ed", or,
    "That's the Sony experience!"
    • by anagama (611277) <obamaisaneocon@nothingchanged.org> on Friday February 17, 2006 @05:27AM (#14740752) Homepage
      I recently (about 2 weeks ago) had to buy two new monitors for my office. My business partner mentioned she saw a sale on some Sony LCD -- I said "no way" and we got something else. Had Sony not gone out of its way to be evil, I would've said "sure". Perhaps "Sonied" will be a term for companies that shoot themselves in the head with their marketing practices. I'd rather see that than a lot of customers being screwed.
      • by Anonymous Coward
        Funny you say that - I had exactly the same with a new 24" TFT we need for the office. And my wife wanted to get a Sony Camcorder, and I said to her 'No way, God knows what rootkits they are shipping with the editing software' I hope the right people from Sony read these comments.
      • by luvirini (753157) on Friday February 17, 2006 @05:51AM (#14740831)
        Vaio was one of the more popular laptop models for our salesforce. It has now been dropped from list of approved products.
        • by Anonymous Coward
          Ditto. No more Sony laptops for the people I help choose gear. Plus no more Sony AV gear for home and an 'on principle' purchase of the album 'Suck Fony'! And I'm going to kick the next Aibo I see.
        • by Anonymous Coward
          Surprised it ever made its way onto your list at all. Our MD got one (does a lot of presentations to clients, so the flashy screen helps the product look good), and the first thing I had to do was install XP Pro on it (it has to run a local IIS web server). It has an SATA HDD.

          As I have had many bad experiences with upgrading windows I tried to do a clean install of XP Pro. SATA not supported. OK, I thought, I'll download the controller drivers, write to floppy, and do the whole F6 thing.

          Checked the Sony
    • by luvirini (753157) on Friday February 17, 2006 @05:37AM (#14740786)
      "Sony, making your entertainment experience more thrilling"
  • So.. (Score:5, Funny)

    by Anonymous Coward on Friday February 17, 2006 @05:21AM (#14740738)
    Sony's root kit disabled the Department of Homeland Security's root kit. I can see why they might be miffed.
    • That is why they need regulation, so that the DHS rootkit will be included in each commercially distributed rootkit and that the manufacturers check for compability.
      • Re:So.. (Score:5, Funny)

        by jibjibjib (889679) on Friday February 17, 2006 @06:00AM (#14740851) Journal
        What if I want to make my own rootkit? Will I have to register it with the DHS, and get them to audit it for security holes and check it for compatibility with their own rootkit?

        And what about Linux rootkits? Will Linux rootkits be supported by the DHS? Or will they just be banned altogether? Surely the DHS can't be stuffed writing a Linux rootkit as well as a Windows rootkit.

        Even scarier... what if Linux rootkits weren't regulated at all? Cyberterrorists could go on a rampage of linux rooting, and the government wouldn't be able to stop them, or more importantly, tax them.

        Hmm... that's an idea, the DHS could implement a rootkit tax, to fund their own rootkit development, and better protect our fellow God-fearing American citizens from the cyberterrorists of the future.

        The War on Terror is ending. The War on Rootkits is only just beginning...

    • It is probably more likely the SONY rootkit was found on DHS computers and left them vulnerable to compromise. I would not be surprised to find that it is still showing up in goverment PC's and calling home to SONY.
  • by James McGuigan (852772) on Friday February 17, 2006 @05:25AM (#14740746) Homepage
    So they have not been punished for their crime,

    They are not even being told they will get punished if they do it again,

    It seems to say, if you do it again, only then will make it illegal so you can't do it a third time.

    (Gee, I'll have to try that one next time I get busted by the cops - its only my first offence, officer, you shouldn't lock me up until I've done it at least 3 times)
    • by smash (1351) on Friday February 17, 2006 @05:36AM (#14740781) Homepage Journal
      Or, as another poster pointed out, perhaps the "legislation" will LEGALISE their behavior so that the "problem" doesn't occur again, as they're acting within the law.

      smash.

    • The main difference here is that Sony didn't do anything considered illegal (some may try and construe it to be, but it is not conisdered so by federal regulations - your state laws may and will vary). This is more like if the police pulled you over for going the speed limit and told you "If everyone doesn't self regulate and go a little slower we will lower the speed limit".

      You, yourself said it: "It seems to say, if you do it again, only then will make it illegal so you can't do it a third time." which is
      • Check out 18 USC 1030 - Fraud in connection with computers

        Subsection (3) states that anyone who "intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Governmen
  • Regulation? (Score:4, Insightful)

    by RedHatLinux (453603) on Friday February 17, 2006 @05:26AM (#14740750) Homepage
    Ohh, you mean legalization and decriminalization of these behaviors, so that this does not become an issue again. Anything less than a total ban, backed up by some serious time in a federal pound you in the ass facility, means that someone has been bought out.
  • I suppose the time has finally come when we side with music companies and hope they'll make a new rootkit. :-)
  • Mr. & Mrs. Smith DVD (Score:5, Informative)

    by rminsk (831757) on Friday February 17, 2006 @05:32AM (#14740772)
    Lets hope the industry learns soon. There are recent products shipping with rootkits on them like the german release of Mr. and Mrs. Smith. http://www.f-secure.com/weblog/archives/archive-02 2006.html#00000810 [f-secure.com]
    • Interesting link... they mention that OSX now has a real virus! Security hole in ichat apparently.
      • Nope, it's a trojan, and it requires you to give it your admin password to do anything realy nasty.
        • Did you read the summary? It puts itself as a hook DLL in the users home directory and ichat blindly loads it without checking. No root password needed.
  • by Anyd (625939) on Friday February 17, 2006 @05:40AM (#14740793)
    Hooray!
    I told my senator to tell the RIAA and Sony to go f##k themselves... I guess he listened.
  • threatening? (Score:3, Insightful)

    by LParks (927321) on Friday February 17, 2006 @05:41AM (#14740800)
    Why merely threaten legislation if it continues to happen? Laws against "products with dangerous rootkit software" wouldn't seem to harm anyone. Enact the legislation now.
  • not malicious? (Score:4, Insightful)

    by a.d.trick (894813) on Friday February 17, 2006 @05:42AM (#14740807) Homepage

    From TFA:

    While Sony's software was distributed without malicious intent

    I guess that depends on what you mean by malicious. As far as I'm concerned, anyone who distributes trojans is either malicious, or mentally insane — on the same level as the man who thinks he's a poached egg.

    • Re:not malicious? (Score:4, Insightful)

      by luvirini (753157) on Friday February 17, 2006 @05:45AM (#14740813)
      The real thing was likely more crimial negligence than an attempt to break things. They should thus pay for all the associated costs as anyone breaks something owned by someone else and so on...
    • "I guess that depends on what you mean by malicious."

      Actually it's the word intent that's important - Sony used third party software that they believed would stop people copying their music, I doubt if Sony got in to too much technical details about how it worked. Managers don't want to know the gory details, they want to know if it works, how much it'll cost and how much profit it will make. All that was on Sony's mind was copy protection, even if the third party software had formatted your HDD Sony ma
    • Oh, so anyone who distributes trojans is malicious? How about pen testers, researchers, antivirus vendors, or simply people who feel like programming a trojan for its own sake?
      Even assuming that Sony's behaviour should be punished, how about we punish them for the actual damage they caused? Otherwise, it becomes just like the old patent rant: "just because it's made with a computer, it is not necessarily a new thing". So why bring in new laws?
      That said, anyone who feels like using state-sponsored violence
    • Although most of the problems were side effects rather than the main point of the software, distributing and demanding the installation of something that uses 2% of the computer's processor constantly is malicious. Although the intent of the software was preventing copying and could be construed as non-malicious (which I disagree with; it's not in my interest to be prevented from doing anything) intentionally distributing the software with these known side effects means there is malicious intent.
  • eh? (Score:4, Insightful)

    by szo (7842) on Friday February 17, 2006 @05:45AM (#14740814)
    You mean this was legal?
    • Mod Parent Up. (Score:5, Interesting)

      by SeaFox (739806) on Friday February 17, 2006 @05:55AM (#14740841)
      To have the government threaten to enact legislation is like having a parent wave their finger at a naughty child warning him not to break ANY MORE of the neighbor's windows.

      Laws have already been broken and all we're seeing is warnings implying this may be made illegal in the future.
      • I agree with your first point, but:

        Laws have already been broken

        Which ones? I don't mean to be difficult, but can you name the actual statutes that apply?
  • No malicious intent? (Score:5, Interesting)

    by erroneus (253617) on Friday February 17, 2006 @05:50AM (#14740828) Homepage
    While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.

    Would someone please define malicious? I think it WAS malicious.

    ------------
    The American Heritage dictionary:
    malicious (m-lsh's) pronunciation
    adj.


    Having the nature of or resulting from malice; deliberately harmful; spiteful.

    -------------
    Thompson-Gale Legal Encyclopedia:
    Malicious

    Involving malice; characterized by wicked or mischievous motives or intentions.

    An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification.

    --------------
    I'd say that given Sony's generally agressive posture with regards to personal/individual fair use and copyright infringement, I think they could easily be characterized using words like "angry" and "vengeful." And regardless of the emotional component, it was certainly wrongful, willfull, intentional and without legal justification.
  • by Adelle (851961)
    do as we say, not as we do.
  • by Rogerborg (306625) on Friday February 17, 2006 @05:55AM (#14740842) Homepage
    Last time I checked, the DHS doesn't work for the Legislature. Their job begins and ends with enforcing the existing laws.
  • wrong act.... (Score:3, Insightful)

    by luvirini (753157) on Friday February 17, 2006 @06:00AM (#14740850)
    read them the riot act

    Should it not read RICO act?

  • by Crash Culligan (227354) on Friday February 17, 2006 @06:12AM (#14740875) Journal

    ...thinks that DHS would love for this to happen again.

    From TFA: Baker stopped short of mentioning Sony by name, but Frenkel did not. "The recent Sony experience shows us that we need to be thinking about how to ensure that consumers aren't surprised by what their software is programmed to do," he said.

    I could almost see them thinking, . o O (...and the best way to do it would be to stringently regulate consumers' computers, so that we can watch for intrusions of this sort in future and prepare for them. Oh, do it again Sony? Ohpleaseohpleaseohpleaseohsnausagesohplease!)

  • by Opportunist (166417) on Friday February 17, 2006 @06:18AM (#14740883)
    A 17 year old writing a stupid trojan that does little but spread receives a 2 year sentence in jail and is only safe from compensation since companies didn't want to have the public know their systems are insecure.

    Read: Juvenile dick-waving without commercial interest -> 2 years prison.

    A large corporation spreading a rootkit with their product to their paying customer with the intent to cripple their customer's software performance (not being able to use it as intended, by manufacturer or user) that also has the capability of spying on their behaviour (allegedly they didn't use that function, but ... yeahsure) receives... a recommendation not to do anything like this again or else we might have to think about creating laws banning this behaviour (hey, those laws exist, enact them!).

    Read: Commercial malvolent infiltration of customer's computers -> Nada.

    The world sure is changing. When I was still in school, adding "commercial" to a crime sure upped your sentence by some magnitude. Nowadays it seems to be your "get out of jail" card if you commit a crime with financial interest.

    Al Capone simply died too early. He'd love these times.
    • The difference is your dick waving teenager is more likely to include 'rm -rf' in the mix, whereas the corporation doesn't want to do any damage. (short of gimping your CD player so you can't burn the precious precious musics.)

      If they hadn't gone about it in such a half assed way, such that people can exploit it to do real damage, it wouldn't have had the backlash it did.

      • Well, first, yes, a "teenage hacker" might include some harmful code. That's where the fun part ends. But he didn't. There was no direct damage involved (besides some spam for the spreading routine, which is dwarfed by the amount of spam from c15al1s and v1agra).

        Still, 2 years and some other rules that simply crippled his future, like banning him from the 'net for a while.

        Imagine a ban on Sony to produce music for 2 years, what good this could do!

        But I ramble. The core point is that there is NO way that you
    • The difference is that with the Sony rootkit, people who installed it "agreed" to have the rootkit installed when they accepted the EULA. Yes, we all know that is a pretty dodgy excuse, and that it might not work in some jurisdictions, or for certain purposes, but it really does make a big difference legally. The 17 year old doesn't even have a dodgy excuse.

      There are also good reasons why the government is unwilling to pass explicit legislation. Defining a rootkit is difficult, and sometimes people really a
    • hey, those laws exist, enact them!

      At risk of being pedantic, I think you mean "enforce them!"

      Other than that, well said!

  • by will_die (586523) on Friday February 17, 2006 @06:21AM (#14740894) Homepage
    The main bulk of the article is about a recent speech where the director of law enforcement policy talked about how companies should be careful about how they implement copy protection and how it should not damage or surprise users in how it works.
    In there is a small paragraph mentioning that DHS and a talk with Sony that what they did "was not a useful thing", which becomes the main thing.
    The thing thing that should of been focused on was the message from DHS that companies should not defeat the security measures that people have in place on thier computers.
  • by LarsWestergren (9033) on Friday February 17, 2006 @06:30AM (#14740920) Homepage Journal
    I was about the download the demo for Battle for Middle Earth 2 the other day, only to read that the goddamn DEMO comes with the StarForce [boingboing.net] malware.

    According to Wikipedia [wikipedia.org], Ubi Soft, Digital Jesters and Codemasters routinely use StarForce on new games. Forget about consoles, THIS is what might kill PC gaming permanently.
  • What is a rootkit? (Score:5, Informative)

    by tom6a (871216) on Friday February 17, 2006 @06:31AM (#14740923)
    If you are looking for a good reference to understand a rootkit I recommend Matt Vea's article "Rootkits: The 'r00t' of Digital Evil." He wrote it back in Novemeber when the Sony fiasco was first revealed. Link: http://www.omninerd.com/2005/11/22/articles/43 [omninerd.com]
  • by AlphaSys (613947) on Friday February 17, 2006 @06:35AM (#14740932)
    Another exaple of our tax-dollar-paid servants not applying themsleves to the task mentally:

    "A U.S. Department of Homeland Security (DHS) official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow."


    The important thing to keep in mind is that, while SONY may have a software division, the product sold wasn't even a software product at all, and no disclosure of a software product was discussed in any terms of sale, etc. The whole software angle was completely surrepetitious. It's not just "software distributors" that need policing here. When it boils down to it, this SONY division had no business "engineering" software into their product; they had little grasp of the ethics or the technical implications of what they were doing... or at least that's what they tell us now. For all we know, they were fully aware and just did it anyway thinking plausible deniability was all they would need when it came to light. If indeed they thought so, they would seem to have been prescient - nothing has happeded because of it. I for one am a bit surprised at that.
  • by layer3switch (783864) on Friday February 17, 2006 @06:42AM (#14740941)
    for distributing Celine Dion CDs. I don't mind rootkit (haven't bought "CD" in 10 years), but for Pete's sake, someone feed that woman.
  • by bennomatic (691188) on Friday February 17, 2006 @06:44AM (#14740947) Homepage
    what I want is a w00tkit!

  • Interesting. I will wait with interest to see whether any such legislation can be created that does not also force a ruling against the software embedded in new DVD drives that will let remote attackers brick your hardware. In particular, this will be quite fun if there is a system driver that gets installed (r00tkit!) which enforces the process across all copy operations. I think the definition of rootkit is a slippery sliding thing and you could even say Microsoft supplies them if you didn't know about
  • ...is to buy the technology so they can keep an eye on all you terrorists out there ;)
  • by The Mgt (221650) on Friday February 17, 2006 @07:38AM (#14741050)
    I'm sure good things will come of this. :/
  • Sony BMG settles (Score:5, Informative)

    by Dachannien (617929) on Friday February 17, 2006 @08:28AM (#14741171)
    On a side note, Sony BMG settled the class action lawsuit filed against them by the EFF. If you want replacement CDs released by Sony BMG that don't have XCP or MediaMax on them, head to http://www.eff.org/sony [eff.org] for more info.

    It's your chance to stick it to the man.
  • Morals? Ethics? (Score:3, Insightful)

    by micpp (818596) on Friday February 17, 2006 @08:42AM (#14741207) Homepage
    I've often wondered why things like this rootkit exist in the first place. Does Sony only employ those who are morally bankrupt? Surely someone at some point in Sony would have said "Hey, this is kinda evil".
  • Why can't the market just dictate that companies can't hide 'root kits' on their music CDs?

    If people just stop buying their crap, they will change how they do business or go out of business.
  • This is like telling a rapist he better "Cut it out now... its not funny anymore. Seriously... please? If... if you don't stop we'll have to give you a warning. I'm serious... hey.... HEY! Stop humping my leg! BAD RAPIST!!!"

    How lax can they get?! When you hurt millions of people, you get punished. So, if Sony puts out another rootkit, will they be at all worried about repercussions? Hell no! They just got away with it.

  • by erroneus (253617) on Friday February 17, 2006 @12:02PM (#14742584) Homepage
    "Shareholders" are about as identifiable as "terrorists." Let's cut through the bullshit on this one.

    When you count out who the majority VOTING shareholders are, you will find that a vast majority of the time, they are the same decision makers who are citing "will of the shareholders." It's bullshit. A doctor should do no harm regardless of who pays his fees. A corporation should do no evil regardless of shareholder interest or profit-making directives. The decision of HOW to go about making profit was made by people and THOSE people should be held accountable for those decisions.

  • Sony is EVIL!!! (Score:3, Interesting)

    by rlp (11898) on Friday February 17, 2006 @01:33PM (#14743452)
    So I guess Sony is the new official Slashdot punching bag ... till the PS/3 comes out.
  • by mpapet (761907) on Friday February 17, 2006 @01:45PM (#14743569) Homepage
    Why is DHS the one that is playing enforcer here? How does policing corporations in private fit into their responsibilities of providing homeland security?

    With computer crimes there's some kind of investigation from local and federal law enforcement (FBI maybe?) and maybe a public hearing or two to give the appearance to voters that something is going to be done.

    Please point out the obvious here because I'm missing it.

The degree of technical confidence is inversely proportional to the level of management.

Working...